On Tue, 1 Mar 2005 22:06:48 -0500, Dave Watts <[EMAIL PROTECTED]> wrote: > > If someone's installing Visio Enterprise to "work on > > flowcharts at home", they probably got it from work. > > Licensing issues aside (since we'll assume they're good > > there) then their home box gets hosed. PITA, but not much > > impact on the business. > > My point has nothing to do with "impact on the business". You stated that > anyone running an unprotected SQL Server was an idiot. I took issue with > that, and provided a counterexample. It's as simple as that.
And I'm still not convinced by your counterexample. While MSDE is certainly fundamentally SQL Server (and now officially named that in the 2005 product editions) the original point was that leaving your SQL Server wide open for TCP/IP access was an idiotic thing to do. And on a ColdFusion list, clearly from context we're talking about the SQL Server(s) interacting with the ColdFusion server(s). (I will make that clear next time ;) I think the main value of the MSDE counterexample is as a reminder that you need to secure your SQL Server against both external threats (e.g. locking down TCP/IP access) and *internal* threats that avoid or circumvent the externally-facing security measures. If Joe Homeuser picks up Slammer on his Visio-installed MSDE, that sucks for him -- but if Jane Sysadmin hasn't protected the internal systems from such a scenario then she's probably on the way to clean our her desk. > > How is this any different than the corporate education about > > opening attachments (bad) and phishing (bad)? Most people, > > I'd put forth, *do* know that the internet isn't all that > > safe and they should be running a firewall. WinXP SP2 finally > > has it builtin, for gosh sakes. > > While most people may know that they should be running a firewall, I doubt > very much that most of these people even know what a firewall is. And when > their system pops up a little message saying "do you want to allow traffic > from [socket 1] to [socket 2]", they'll click the OK button in many cases > even if they don't know the import of their actions. And again, your analogy > with corporate education about attachments just highlights the idiocy of our > industry - we find it more efficient to train untold thousands of people not > to double-click something, rather than design a safe system in the first > place! If we built cars, we'd tell people "don't drive downhill because the > brakes don't work", rather than just fixing the damn brakes. How idiotic is > that? I think we both agree that it's idiotic as an industry that we have to deal with anti-virus software, spam filters, spyware, worms, phishing, and the like. It's hard to claim otherwise! But we've got the systems we've got -- if your car *doesn't* have brakes and you say to yourself "Well, it should have breaks so I'm going to go down this hill anyway. It will be the engineers' fault!" you are pretty foolish. If you however attach a parachute to the back of the car to slow you (or do a Fred Flinstone with your feet to stop) you've at least hedged your bets. > > Actually, I think the answer to your question is yes, you did > > have something happen to you that was completely avoidable > > and probably deserve it. You chose to keep your door open > > when they're a high likelihood of attack (we're comparing to > > the security of the internet, remember). > > You have a peculiar way of defining "deserved". To think that's the result has been "earned" by your actions? That you "merited" the attack? (a few definitions just to make sure I'm using the word in a normal fashion...). I think the cracker, script kiddie, or disgruntled employee who now has access to your data would certainly think you deserved it. -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197253 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
